1.2.4 (2020-08-19)

  • Fix error in README.rst Thanks @der-gabe
  • Fix JWKS handling when the same kid value is used across JWKs with different alg specified Thanks @davidjb
  • Support regex patterns in OIDC_EXEMPT_URLS, to allow exempting session refreshes in SessionMiddleware for URLs matching the pattern Thanks @jwhitlock
  • Move nonce outside of add_state_and_noce_to_session method.
  • Change log level to info for the add_state_and_nonce_to_session.
  • Session save/load management Thanks @Flor1an-dev
  • Allow multiple parallel login sessions Thanks @istreeter

1.2.3 (2020-01-02)

  • Add support for Django 3.x Thanks @jaap3
  • Use new E2E testing images from mozilla namespace
  • Remove support for EOL’ed Django versions

1.2.2 (2019-04-18)

  • Add Mozilla code of conduct
  • Allow overriding OIDC settings per class

1.2.1 (2019-01-22)

  • Make verify_claims compatible with custom scope configuration.

1.2.0 (2019-01-09)

  • Improve travis automation for PyPI releases
  • Allow basic auth for OIDC token endpoint requests Thanks @anttipalola
  • Replace phantomjs with firefox headless for e2e testing
  • Add default email verification claim check Thanks @kerrermanisNL
  • Remove compatibility code for unsupported Django versions
  • Add settings to control redirect behavior Thanks @chrisbrantley

1.1.2 (2018-08-24)

  • Fix JWKS handling when OP returns multiple keys Thanks @JustinAzoff

1.1.1 (2018-08-09)

  • Fix is_safe_url on Django 2.1
  • Fix signature in authenticate method to be compatible with Django 2.1
  • Remove legacy code for unsupported Django < 1.11 Thanks @SirTyson

1.1.0 (2018-08-02)

  • Installation doc fixes Thanks @mklan
  • Drop support for unsupported Django 1.8 and Python 3.3.
  • Refactor authentication backend to make it easier to extend Required by DRF support feature.
  • Add DRF support Thanks @anlutro
  • Improve local docker environment setup
  • Add flag to allow using unsecured tokens
  • Allow using JWK with optional alg Thanks @Algogator

1.0.0 (2018-05-09)

  • Add OIDC_AUTHENTICATION_CALLBACK_URL as a new configuration parameter
  • Fail earlier when JWS algorithm does not OIDC_RP_SIGN_ALGO. Thanks @anlutro
  • RS256 verification through settings.OIDC_OP_JWKS_ENDPOINT Thanks @GermanoGuerrini
  • Refactor OIDCAuthenticationBackend so that token retrieval methods can be overridden in a subclass when you need to.

Backwards-incompatible changes:

  • OIDC_OP_LOGOUT_URL_METHOD takes a request parameter now.
  • Changed name of RefreshIDToken middleware to SessionRefresh.

0.6.0 (2018-03-27)

  • Add e2e tests and automation
  • Add caching for exempt URLs
  • Fix logout when session refresh fails

0.5.0 (2018-01-10)

  • Add Django 2.0 support
  • Fix tox configuration

Backwards-incompatible changes:

  • Drop Django 1.10 support

0.4.2 (2017-11-29)

  • Fix OIDC_USERNAME_ALGO to actually load dotted import path of callback.
  • Add verify_claims method for advanced authentication checks

0.4.1 (2017-10-25)

  • Send bytes to josepy. Fixes python3 support.

0.4.0 (2017-10-24)

Security issues:

  • High: Replace python-jose with josepy and use pyca/cryptography instead of pycrypto (CVE-2013-7459).

Backwards-incompatible changes:

  • OIDC_RP_IDP_SIGN_KEY no longer uses the JWK json as dict but PEM or DER keys instead.

0.3.2 (2017-10-03)



  • Use settings.OIDC_VERIFY_SSL also when validating the token. Thanks @GermanoGuerrini
  • Make OpenID Connect scope configurable. Thanks @puiterwijk
  • Add path host injection unit-test (#171)
  • Revisit OIDC_STORE_{ACCESS,ID}_TOKEN config entries
  • Allow configuration of additional auth parameters

0.3.1 (2017-06-15)

Security issues:

  • Medium: Sanitize next url for authentication view

0.3.0 (2017-06-13)

Security issues:

  • Low: Logout using POST not GET (#126)

Backwards-incompatible changes:

  • The settings.SITE_URL is no longer used. Instead the absolute URL is derived from the request’s get_host().
  • Only log out by HTTP POST allowed.


  • Test suite maintenance (#108, #109, #142)

0.2.0 (2017-06-07)

Backwards-incompatible changes:

  • Drop support for Django 1.9 (#130)

    If you’re using Django 1.9, you should update Django first.

  • Move middleware to mozilla_django_oidc.middleware and change it to use authentication endpoint with prompt=none (#94)

    You’ll need to update your MIDDLEWARE_CLASSES/MIDDLEWARE setting accordingly.

  • Remove legacy base64 handling of OIDC secret. Now RP secret should be plaintext.


  • Add support for Django 1.11 and Python 3.6 (#85)
  • Update middleware to work with Django 1.10+ (#90)
  • Documentation updates
  • Rework test infrastructure so it’s tox-based (#100)


  • always decode verified token before json.load() (#116)
  • always redirect to logout_url even when logged out (#121)
  • Change email matching to be case-insensitive (#102)
  • Allow combining OIDCAuthenticationBackend with other backends (#87)
  • fix is_authenticated usage for Django 1.10+ (#125)

0.1.0 (2016-10-12)

  • First release on PyPI.